Previously you knew how to integrate Azure Security Center to Azure Sentinel to make sure alerts are tracked as incidents in Azure Sentinel. Now you have decided to connect many Azure Security Center to your Azure Sentinel.
This article is not going to walk through step-by-step guidance on how to connect ASC to Azure Sentinel. Instead it provides some notes on how to programtically interacts with Azure Sentinel, as well as the sample script to help you complete your job.
TL;DR: You can skip this article and use the script from here https://github.com/azsec/azure-sentinel-tools/tree/master/scripts
Azure Sentinel API
In fact there is Azure Sentinel API but Microsoft seems to be still finalizing and improving it. If you remember the original name of Azure Sentinel – Azure Security Insights so Azure Sentinel API actually still uses the old name.
For working with connector specifically, the request Uri looks like as follows:
https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/dataConnectors/" + $connectorName + "?api-version=2019-01-01-preview
- WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
- ConnectorName is a little tricky. It should be in format of GUID so that wouldn’t conflict during API operation call (especially when you are in testing).
The request body looks straightforward. Make sure you follow the casing unless you will encounter error about parsing data.
Azure Security Center Standard Tier
You do need to ensure your Azure Security Center is using Standard plan. Unless Azure Sentinel doesn’t allow ASC to be connected to.
You don’t have to enable Standard tier in all resource types.
Now you are good to go!